Bug 13353 - priorSecret not redacted in logs
Summary: priorSecret not redacted in logs
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.8.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-03-23 04:47 UTC by Aaron Haslett (dead mail address)
Modified: 2021-07-25 22:37 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Aaron Haslett (dead mail address) 2018-03-23 04:47:37 UTC 

    


    


      



        
          Comment 1
        

        
          Aaron Haslett (dead mail address)

        

        
        

        
          2018-03-23 04:48:42 UTC
        

      






In LDB, some values are redacted during debug prints.  The priorSecret value should also be included in that for secrets.ldb database.

    


    


      



        
          Comment 2
        

        
          Andrew Bartlett

        

        
        

        
          2021-07-25 22:37:03 UTC
        

      






Fixed in Samba 4.9 and later by:

commit 6a09162df6bd38098253b50a7ac32bfdc8dbf9d4
Author: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Date:   Tue May 1 11:10:40 2018 +1200

    ldb: removing prior secret from logs
    
    priorSecret, like secret, can contain a machine account password
    (for secrets.ldb) and so should not be printed in a debug
    trace.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13353
    
    Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet@samba.org>
    Reviewed-by: Garming Sam <garming@catalyst.net.nz>